SANS NewsBites

Software Makers with US Government Customers Have a Year (or Less) to Provide Self-Attestations; FishPig Hit with Supply Chain Attack; Microsoft Patch Tuesday Includes Fix for Flaw Added to Known Exploited Vulnerabilities Catalog

September 16, 2022  |  Volume XXIV - Issue #72

Top of the News


2022-09-15

US Office of Management and Budget Memorandum on Software Supply Chain Security

In a memorandum for the heads of executive departments and agencies, the US Office of Management and Budget (OMB) requires agencies to comply with US National Institute of Standards and Technology (NIST) guidance regarding software supply chain security. NIST developed best practices guidelines for the software supply chain, NIST Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Security Guidance, to comply with the May 2021 cybersecurity executive order. The memorandum notes that “agencies are required to obtain a self-attestation from the software producer before using the software.”

Editor's Note

If you’re a software producer with any sales in federal government space, this is huge. You’ll have 365 days (or 270 days if your software is considered “critical” by the procuring agency) to get your attestations together. While the agency standard attestation forms are not yet released, software producers should be looking at SP 800-218 now and beginning their gap assessments now as most development orgs do not meet the requirements in SP 800-218.

Jake Williams
Jake Williams

This is a big (huge) deal as the scope includes firmware, operating systems, applications and application services (a.k.a. cloud service) as well as all products containing software. Read the scope carefully as it also limits the requirement to software developed, or major versions changes to existing software after the memorandum date. Agencies are already identifying critical software as part of FISMA data reporting to DHS. Critical software includes software that provides security services such as firmware, operating systems, EDR, etc. If you have federal customers, brush up on the memo and 800-218 to develop a plan for providing attestation to your customers.

Lee Neely
Lee Neely

I always worry when I see phrases such as “agencies are required to obtain a self-attestation from the software producer before using the software.” Time and time again we have witnessed self-regulation industry fail the consumer and customers. Which is why I find the EU proposal for the Cyber Resilience Act which will require independent certification relating to the security of hardware and software devices an exciting and promising development as vendors will legally be required to ensure their products meet minimum security standards. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

Brian Honan
Brian Honan

One small step in the essential direction of holding suppliers accountable for any malicious code that they ship.

William Hugh Murray
William Hugh Murray

2022-09-15

Software Supply Chain Attack Hits FishPig

eCommerce software maker FishPig has acknowledged that hackers managed to infiltrate its server infrastructure and inject malicious code into the Helper/License.php file. FishPig notes that “it is best to assume that all paid FishPig Magento 2 modules have been infected,” and advises users to reinstall or update extensions.

Editor's Note

This is a far simpler software supply chain attack than SolarWinds, and yet still very impactful. The .php script drops a Rekoobe malware variant to disk and executes it. Threat actors dropped the malware to /tmp and executed it from there. This is where detection engineering comes into play. Hidden files executing from the /tmp directory, especially immediately after being written to disk, should be extremely rare. If you have the right telemetry in place, this is trivial to detect. The threat actors write to /tmp because it's world writable and they can't count on the web server running under a privileged account.

Jake Williams
Jake Williams

It looks like FishPig had no controls to detect a compromise of its software. No digital signatures and no verification that the software deployed on its download servers matches the software that should be deployed. Detection happened by a third party, not the vendor.

Johannes Ullrich
Johannes Ullrich

Follow the steps on the FishPig Security Announcement to verify if you are or are not affected; they provide a script which both checks your extensions and makes recommendations. Next you need to update/reinstall FishPig. Lastly you need to reboot to clear the malware from memory; this has to be done after clearing the compromised extensions.

Lee Neely
Lee Neely

2022-09-13

Microsoft’s September Patch Tuesday Addresses 60+ Vulnerabilities

On Tuesday, September 23, Microsoft released patches for 64 vulnerabilities in a variety of products. The batch of fixes includes five critical flaws and an important privilege elevation vulnerability in the Windows Common Log File System Driver that is being actively exploited. (Ed: This vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog.)

Editor's Note

A PoC exploit has been released for one of the critical IKE vulnerabilities. These vulnerabilities have a lot of potential to cause havoc, and the only thing saving us here is that the two attacked features, IPSEC and IPv6, are not widely deployed.

Johannes Ullrich
Johannes Ullrich

It’s September, students are back in school, we’re back from vacations, ready to ease back into work - not so much this week. Microsoft, Apple and Adobe have all released updates to critical vulnerabilities you need to jump on. Don’t panic - make sure you’ve got backups in case you need to roll back and start your deployment as usual. The five critical flaws for Windows have CVSS scores from 7.8 to 9.8, don’t be fooled, CVE-2022-34718 is wormable, CVE-2022-37869 is privilege escalation, CVE-2022-35085 a similar flaw more easily exploited, CVE-2022-34718 allows an unauthenticated attacker to execute code with privileges, and lastly CVE-2022-37969 fixes a possible bypass scenario to a prior patch of the Windows Log system.

Lee Neely
Lee Neely

The number of vulnerabilities that Microsoft patches each month might suggest that they are very good at finding vulnerabilities. However, patching is both an expensive and risky way to achieve essential quality. Much better to detect the vulnerabilities as part of the quality control process.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-09-13

Lorenz Ransomware Group Exploiting Flaw in Mitel VoIP Appliance

Researchers from Arctic Wolf Labs say that the Lorenz ransomware group exploited a remote code execution vulnerability in Mitel MiVoice Connect to gain initial access to systems. The intruders then waited almost a month before exfiltrating data and encrypting systems. Mitel released an update for MiVoice Connect to address the flaw in July.

Editor's Note

IoT attacks are often considered "nuisance" attacks by bots like Mirai. But among the immense noise created by these bots, we do have more sophisticated attacks that use vulnerable devices like these VoIP systems as a steppingstone to enter otherwise reasonably well-protected networks. Reminds me to finally put my automated cat feeder into the IoT VLAN.

Johannes Ullrich
Johannes Ullrich

Remember your VoIP system is a computer and needs to be kept updated, securely configured, and monitored for unexpected activity. Take that a step further: consider almost every system we use today as a computer which needs to be kept secured, ideally asking for that activity to be incorporated into the deployment plan, which may then trigger needs for added cyber resources.

Lee Neely
Lee Neely

2022-09-13

FBI Warns of Legacy Medical Device Security Risks

The FBI has published a Private Industry Notification (PIN) warning of security risks posed by unpatched and legacy medical devices. According to the notification, risks include outdated software, using default configurations, and devices designed without security in mind. The FBI’s recommendations include implementing endpoint protection, access management, asset and vulnerability management, and employee training.

Editor's Note

One thing often overlooked when it comes to procuring smart devices (may it be a car that interfaces with a smart phone or a wifi controlled infusion pump) is the fact that vendors typically have rather limited “end of support” timelines. We are used to have devices like this last for a decade or longer while software support often expires after a couple years. Will your car still be able to interface with the phone released in 2032?

Johannes Ullrich
Johannes Ullrich

These devices have a 10-30 year lifespan, and when they were installed the threat landscape was nothing like it is today. In many cases you’re unlikely to be ready to retire them and may not be able to update them either. Aside from formally tacking the lifecycle of these devices, make sure they are as isolated as possible, have firm plans (which may require hard conversations) about keeping them updated.

Lee Neely
Lee Neely

Intuitively the risk is to the health of patients. However, security is a space in which intuition does not serve us well. More likely is the risk that, using gratuitous general purpose operating system code in the device, it will be co-opted into a botnet.

William Hugh Murray
William Hugh Murray

2022-09-15

FBI Warns of Cyberattacks Against Healthcare Payment Processors

The FBI has published a Private Industry Notification warning of increasing attacks against healthcare sector payment processors. According to the notification, the thieves are using publicly available personally identifiable information belonging to processor employees along with social engineering tactics to redirect payments under their control. The notification lists possible indicators of attempted attacks, including phishing emails, unexpected changes to email exchange server and user accounts, and employees being locked out of payment processor accounts because of failed password recovery attempts.

Editor's Note

The threat actors are changing payment (ACH, Direct Deposit, etc.) to send information to their accounts rather than where expected. This means that you should not only check your personal accounts for fraudulent charges, but also verify corporate payment destinations are valid. Make sure that you have secondary validation of payment account changes, customer or corporate as well as enforce multi-factor authentication making credential compromise attacks much harder. Review the FBI recommendations to find other mitigations you may not have otherwise considered.

Lee Neely
Lee Neely

2022-09-15

Microsoft Teams Authentication Tokens Stored Unencrypted

Researchers from the Vectra Protect team found that Microsoft Teams store authentication tokens unencrypted on Windows, macOS, and Linux systems. Attackers with local or remote system access can steal the tokens from Microsoft teams users who are signed in. Microsoft says that while it does not have immediate plans to fix the issue, it may address it in a future product release. Until there is a fix available, Vectra recommends migrating to the Microsoft teams web app and to create a system monitoring rule to identify processes accessing sensitive files.

Editor's Note

If you’re considering migrating to the browser-based Teams app, consider the browser chosen. Not all browser versions support teams fully and not all browsers have equivalent security protections. Consider Chromium Edge or Chrome for optimal experience. Even so, there is a reduction of functionality. Note that for Linux users EOL for the Linux desktop Teams client is December 22, so the browser version will be their only option. Monitoring access to the identified files by processes other than the Teams application and implementing a response mechanism may be far more acceptable to end users than switching to the browser-based app.

Lee Neely
Lee Neely

2022-09-15

Rust Foundation Establishes Security Team

The Rust Foundation has announced that it is establishing a security team with support from the OpenSSF’s Alpha-Omega Initiative and Rust Foundation member JFrog. “The first initiative for the new Security Team will be to undertake a security audit and threat modeling exercises to identify how security can be economically maintained going forward.”

Editor's Note

With increased attention on supply chain security, expect more security processes and teams to be incorporated into services and products used to develop code. With luck tools will be developed, such as the govulcheck tool from the Go initiative, to flag code for vulnerabilities, making it easier to fix and release secure code.

Lee Neely
Lee Neely

2022-09-13

Some HP Firmware Vulnerabilities Remain Unpatched After Public Disclosure

Researchers from Binarly disclosed several high-severity vulnerabilities in firmware used in HP business computers to the company more than a year ago. Some of the flaws remain unpatched, even after Binarly publicly disclosed them at Black Hat last month. The vulnerabilities could be exploited to steal data or even shut down an affected computer.

Editor's Note

Make sure that firmware updates are in your SOP for keeping systems secure. Also make sure that you’re only deploying genuine firmware updates. If you’re worried about your HP firmware, Binarly has released an open-source tool “FwHunt” to scan for UEFI firmware vulnerabilities.

Lee Neely
Lee Neely

2022-09-15

EZVIZ Smart Camera Vulnerabilities

Researchers from Bitdefender have detected multiple vulnerabilities in EZVIZ smart cameras. Three of the flaws – a stack-based buffer overflow vulnerability, an insecure direct object reference vulnerability, and a strong passwords in a recoverable format vulnerability – can be exploited remotely. A fourth flaw – an improper initialization vulnerability – is locally exploitable. The flaws can be chained to gain remote control of vulnerable cameras and download and decrypt images. The issues affect at least five models of EZVIZ cameras. Patches are available.

Editor's Note

Unlike the old hard-wired analog devices of the past, modern IoT security cameras need to be kept updated. And the frequency of those updates may not be sufficient for all scenarios, which means they should be able to connect only to the services they absolutely need. Use a separate network or SSID, just as your old CCTV system was dedicated to that purpose. Lastly, if your vendor seems disinclined to address security issues, you should be disinclined to continue using their devices.

Lee Neely
Lee Neely

2022-09-14

CISA Adds Windows Privilege Elevation and Apple RCE Flaws to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two security issues to its Known Exploited Vulnerabilities (KEV) catalog: a privilege escalation issue in Microsoft Windows, and a remote code execution vulnerability in iOS, iPadOS, and macOS. Microsoft released a fix for the vulnerability on Tuesday, September 13. Apple patched the RCE flaw on Monday, September 12. Federal agencies are required to apply fixes by October 5.

Editor's Note

Note there are three Linux kernel flaws listed as well, but you have until October 6th to fix them. Don’t overlook Linux in your monthly patch cycle.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Malicious Word Document With a Frameset

https://isc.sans.edu/diary/Malicious+Word+Document+with+a+Frameset/29052


Easy Process Injection within Python

https://isc.sans.edu/diary/Easy+Process+Injection+within+Python/29048


Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+September+2022+Patch+Tuesday/29044/


Adobe Patches

https://helpx.adobe.com/security/security-bulletin.html


Magento Vendor FishPig Hacked, Backdoors Added

https://sansec.io/research/rekoobe-fishpig-magento


CVE-2022-34721 Exploit

https://github.com/78ResearchLab/PoC/tree/main/CVE-2022-34721


Trojaned Putty Used in Attacks

https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing


Lenovo BIOS Updates

https://support.lenovo.com/us/en/product_security/LEN-94953#Desktop


Queen Elizabeth Related Phishing

https://twitter.com/threatinsight/status/1570092339984584705


Microsoft 365 Auto Updates Apps on Locked or Idle Devices

https://techcommunity.microsoft.com/t5/microsoft-365-blog/update-under-lock-improved-update-experience-for-microsoft-365/ba-p/3618901